mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory

This avoids a potential division by zero. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st>

mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory
This avoids a potential division by zero. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st>
f875a732 · Martin Storsjö · a92538b7 · f875a732
Commit f875a732 authored Sep 16, 2013 by Martin Storsjö
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 3 deletions

mpeg4videodec.c libavcodec/mpeg4videodec.c +9 -3

No files found.
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -154,7 +154,7 @@ static inline int mpeg4_is_resync(MpegEncContext *s){
    return 0;
 }

-static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb)
+static int mpeg4_decode_sprite_trajectory(MpegEncContext *s, GetBitContext *gb)
 {
    int i;
    int a= 2<<s->sprite_warping_accuracy;
@@ -170,6 +170,9 @@ static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb
    int h= s->height;
    int min_ab;

+    if (w <= 0 || h <= 0)
+        return AVERROR_INVALIDDATA;
+
    for(i=0; i<s->num_sprite_warping_points; i++){
        int length;
        int x=0, y=0;
@@ -342,6 +345,7 @@ static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb
        }
        s->real_sprite_warping_points= s->num_sprite_warping_points;
    }
+    return 0;
 }

 /**
@@ -416,7 +420,8 @@ int ff_mpeg4_decode_video_packet_header(MpegEncContext *s)
            skip_bits(&s->gb, 3); /* intra dc vlc threshold */
 //FIXME don't just ignore everything
            if(s->pict_type == AV_PICTURE_TYPE_S && s->vol_sprite_usage==GMC_SPRITE){
-                mpeg4_decode_sprite_trajectory(s, &s->gb);
+                if (mpeg4_decode_sprite_trajectory(s, &s->gb) < 0)
+                    return AVERROR_INVALIDDATA;
                av_log(s->avctx, AV_LOG_ERROR, "untested\n");
            }

@@ -2031,7 +2036,8 @@ static int decode_vop_header(MpegEncContext *s, GetBitContext *gb){
     }

     if(s->pict_type == AV_PICTURE_TYPE_S && (s->vol_sprite_usage==STATIC_SPRITE || s->vol_sprite_usage==GMC_SPRITE)){
-         mpeg4_decode_sprite_trajectory(s, gb);
+         if (mpeg4_decode_sprite_trajectory(s, gb) < 0)
+             return AVERROR_INVALIDDATA;
         if(s->sprite_brightness_change) av_log(s->avctx, AV_LOG_ERROR, "sprite_brightness_change not supported\n");
         if(s->vol_sprite_usage==STATIC_SPRITE) av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n");
     }